Category: Security

VoIP for Business provides a range of benefits, including substantial cost-savings that make it a must-have for most businesses. However, as with most IT advances, VoIP has attracted the dark side of the developers. Hackers and scammers are using VoIP for Business as a way to steal data and execute hacking exploits.

As with other types of malware attacks, business need to be aware of how these exploits are executed and what preventative measures they can take.

The first thing to understand is that most successful hacking attacks are by having users provide sensitive information. Scammers are becoming more sophisticated, and they are increasingly using VoIP to steal personal and company data or just cause mischief.

Here are some common types of attack and how to avoid them.

Interception

An attacker can hack into your VoIP system to record business conversations. They can then be decrypted, sometimes in real time, to obtain crucial business or personal information.

The first step is obviously to prevent hackers entering your VoIP system in the first place. Change server passwords, and under no circumstances continue to use the manufacturer-supplied default passwords.

Because your VoIP call is likely to be routed outside your network, protecting your calls from interception can be out of your hands. If security is a major concern there are software tools that provide a second layer of end-to-end encryption. Adding a second encryption layer makes it highly unlikely that calls can be decrypted in real time, and even when recorded calls are analysed offline.

Hosted Services

If you are using a VoIP Hosted Service supplier, you need to be very careful about the security they provide. You need to be sure that they are as secure as you would be with an inhouse system.

Firewalls and Security

All companies already implement firewalls and security in their overall ICT infrastructure. If you are concerned about security, it may be prudent to deploy a VoIP specific firewall that closes a VoIP session once the call is complete. This prevents hackers piggy-backing on a session to find out information about your VoIP system.

In a high-security environment, you may consider adding further layers of security, for example allowing only authenticated devices to make or receive VoIP calls.

User Security

You can implement all the security technical features you like, but the majority of successful data breaches and hack attacks occur because of user error, deliberate or malicious.

Phishing

In a phone-based phishing attack, the hacker calls a user and pretends to be from IT support or from a recognised company IT supplier.

In an attack on a user, they either quiz the user for personal information like credit card numbers, bank account details or information on family or friends. Sometimes they claim to be from IT Support and need the user to go to a web-site, “to update their software”, and the malware finds its way onto the company network.

Support policies applied by ICT need to ensure that all ICT maintenance functions are carried out by staff with verifiable credentials. In any event, most ICT update functions can be carried out remotely without user involvement.

Users need to be educated not to respond the requests by third parties to carry out maintenance tasks on their PCs and to refer the caller to IT support.

Fake Caller/Caller ID

A phishing attack over a VoIP or cellular connection can be legitimised by having a caller-id that shows the call coming from a reputable source. Unfortunately, caller-ids can be faked. Users need to be very careful and verify that the caller is legitimate before divulging any potentially sensitive information.

War Dialing

A carry-over from the dial-up modem days, a hacker sends out a phone message to hundreds of phone voicemail boxes, asking the caller to return a call. This legitimises the number and allows the hacker to carry out a phishing attack.

In short, VoIP defences have two components, technical appliance and software defences, and an education programme for users to make sure that they do not provide potentially sensitive information to a third party. Obviously, electronic defences need to be kept up to date. Users need to be educated on general and VoIP security on a regular basis.

The benefits that VoIP for Business can bring to your business are undeniable. Add to that Cloud VoIP, hosted or on-site and you have a winning combination that can add significantly to your business profile.

Depending on the size of the business, either implementation can be applicable. However, having said that, a cloud-based approach can fit more easily with an existing cloud-based environment, either on‑site or hosted.

Before choosing a particular approach, it is best to consider firstly whether on-site or hosted VoIP is better suited to the business, and secondly, whether a Cloud-based architecture is appropriate.Continue reading

First we had viruses, then rootkits, now we have ransomware. One thing is certain, the next bit of malware technology is currently under development and be with us soon. Even systems like VoIP are under attack and are being used as portals to gain access to corporate information.

What kind of threats are currently being seen in VoIP systems and how are they to be countered?

The first thing to understand that because VoIP is based on IP technologies it is vulnerable to all the malware and attack techniques that are inflicted on IP networks. The second is that VoIP goes over the Internet, and while you can contain and manage IP security in your internal closed corporate network, you are at the mercy of third-party service providers of varying quality in their security systems. The third, and one often forgotten, is that all devices in the VoIP network are IP devices and are therefore vulnerable to all the threats found with other IP devices. That must be factored into the overall data and voice protection scenario.Continue reading